|
|
| Riga 1: |
Riga 1: |
| − | {{Server|fabula}}
| + | #REDIRECT [[meta:Wikimedia Italia/Website/Technical documentation]] |
| − | {{Bozza}}
| |
| − | Public technical documentation for the '''https://www.wikimedia.it/''' website.
| |
| − | | |
| − | == Server access ==
| |
| − | | |
| − | <pre>
| |
| − | ssh fabula.wikimedia.it
| |
| − | </pre>
| |
| − | | |
| − | To request access:
| |
| − | | |
| − | * [[Infrastruttura]]
| |
| − | | |
| − | == Overview ==
| |
| − | | |
| − | <pre>
| |
| − | ┌─────┐ ┌─────────────────┐ ┌───────────────┐
| |
| − | │Alice│ │Apache (:80 :443)│ │PHP-FPM (:9003)│
| |
| − | └──┬──┘ └────────┬────────┘ └───────┬───────┘
| |
| − | │ request │ │
| |
| − | │<────────────────────>│ │
| |
| − | │ │ │
| |
| − | │ │ request │
| |
| − | │ │<─────────────────────────>│
| |
| − | ┌──┴──┐ ┌────────┴────────┐ ┌───────┴───────┐
| |
| − | │Alice│ │Apache (:80 :443)│ │PHP-FPM (:9003)│
| |
| − | └─────┘ └─────────────────┘ └───────────────┘
| |
| − | </pre>
| |
| − | | |
| − | ([http://www.plantuml.com/plantuml/uml/SoWkIImgAStDuNBCoKnELR3HjLDGSYn8JCv8LT2miZ1Gi38nCTPKKh1IA4ejB4qjBk728WlH5U0HeEiMu0kKi3GmGDNZa9gN0hG30000 refresh])
| |
| − | | |
| − | == File system ==
| |
| − | | |
| − | The application is under:
| |
| − | | |
| − | /var/www/wmi/wordpress
| |
| − | | |
| − | == Database ==
| |
| − | | |
| − | The database is called <code>WMIDB</code>.
| |
| − | | |
| − | It has a dedicated user called in the same way.
| |
| − | | |
| − | == Update ==
| |
| − | | |
| − | Normally, for security reasons, the application should be set in read-only more, writable only by <code>root</code>.
| |
| − | | |
| − | Before being able to do an update you have to run this:
| |
| − | | |
| − | <pre>
| |
| − | chown apache-wmi: -R /var/www/wmi/wordpress
| |
| − | </pre>
| |
| − | | |
| − | Then, when your upgrade is concluded, run again the [[#Hardening]] part.
| |
| − | | |
| − | == Hardening ==
| |
| − | | |
| − | After you have done any [[#Update]], please execute this hardening process:
| |
| − | | |
| − | <pre>
| |
| − | # first step: make whole application read-only for everyone
| |
| − | chown root: -R /var/www/wmi/wordpress
| |
| − | | |
| − | # second step: protect some secrets
| |
| − | chmod o= /var/www/wmi/{tmp,session}
| |
| − | chmod o= /var/www/wmi/wordpress/wp-config.php
| |
| − | chown root:apache-wmi /var/www/wmi/wordpress/wp-config.php
| |
| − | | |
| − | # third step: allow write-mode on some locations
| |
| − | chown -R apache-wmi: /var/www/wmi/{tmp,session}
| |
| − | chown -R apache-wmi: /var/www/wmi/wordpress/wp-content
| |
| − | </pre>
| |
| − | | |
| − | == Configuration ==
| |
| − | | |
| − | WordPress configuration:
| |
| − | | |
| − | nano /var/www/wmi/wordpress/wp-config.php
| |
| − | | |
| − | Apache configuration:
| |
| − | | |
| − | nano [[phabricator:diffusion/WIIN/browse/master/servers/fabula/conf/httpd/sites-available/it-wikimedia-www-ssl.conf|/etc/httpd/sites-enabled/it-wikimedia-www-ssl.conf]]
| |
| − | nano [[phabricator:diffusion/WIIN/browse/master/servers/fabula/conf/httpd/sites-available/it-wikimedia-www-txt.conf|/etc/httpd/sites-enabled/it-wikimedia-www-txt.conf]]
| |
| − | | |
| − | PHP-FPM configuration:
| |
| − | | |
| − | nano /etc/opt/rh/rh-php73/php-fpm.d/9003-it.wikimedia-wordpress.conf
| |
| − | | |
| − | To publish whatever change in Wikimedia Phabricator please run this:
| |
| − | | |
| − | <pre>
| |
| − | /root/scripts/commit.sh | |
| − | </pre>
| |
| − | | |
| − | == Log ==
| |
| − | | |
| − | Generic Apache error log:
| |
| − | | |
| − | tail -f /var/log/httpd/error_log
| |
| − | | |
| − | Generic Apache access log:
| |
| − | | |
| − | tail -f /var/log/httpd/access_log
| |
| − | | |
| − | == Service ==
| |
| − | | |
| − | To apply your changes you need to restart the services.
| |
| − | | |
| − | Service of the apache frontend webserver:
| |
| − | | |
| − | <pre>
| |
| − | apache2ctl configtest
| |
| − | apache2ctl graceful
| |
| − | </pre>
| |
| − | | |
| − | Service of the PHP-FPM backend webserver:
| |
| − | <pre>
| |
| − | systemctl status rh-php73-php-fpm
| |
| − | systemctl restart rh-php73-php-fpm
| |
| − | </pre>
| |
| − | | |
| − | == Unix user ==
| |
| − | | |
| − | The PHP-FPM application runs under a dedicated low-privileged Unix user:
| |
| − | | |
| − | <pre>
| |
| − | $ id apache-wmi
| |
| − | uid=1439(apache-wmi) gid=1439(apache-wmi) groups=1439(apache-wmi),48(apache)
| |
| − | </pre>
| |
| − | | |
| − | Created with:
| |
| − | | |
| − | <pre>
| |
| − | $ adduser -d /var/www/html -s /sbin/nologin -g apache apache-wmi
| |
| − | </pre>
| |
| − | | |
| − | == E-mail ==
| |
| − | | |
| − | TODO
| |
| − | | |
| − | This service uses an SMTP account <code>@wikimedia.it</code> with username <code>noreply</code>.
| |
| − | | |
| − | See [[#Configuration]].
| |
| − | | |
| − | See [[Associazione:Mail/Caselle tecniche|technical addresses]].
| |
| − | | |
| − | == Phabricator ==
| |
| − | | |
| − | * [[phabricator:search/query/mTCwTQdJGR4a/#R|phabricator:search]] - search recent activity
| |